Samba-3.0.0 RC's and transitive trusts

Jason Haar Jason.Haar at trimble.co.nz
Thu Sep 18 20:49:04 GMT 2003 

On Thu, Sep 18, 2003 at 11:17:27AM -0500, Gerald (Jerry) Carter wrote:
> Can you describe you domain structure a little more.  I'm a
> little unclear on what is not working.

OK,

Like everyone else, we used to have a NT4 network. With Active Directory
(AD), we decided to migrate to AD instead of upgrade. So we originally had a
bunch of trusted NT4 domains (let's say "nt-1","nt-2","nt-3"). Now we still
have them (so much for the "migration" ;-), but we also have an AD tree: a
root domain "top-dom", and subdomains "sub1.top-dom","sub2.top-dom". 
Those ADs show up under Win9x/NT  as "sub1" and "sub2". The AD is
configured to have trust relationships with the old NT4 domains, and "sub1"
trusts "sub2" due to AD trusts being transitive.

So I've tried installing Samba-3.0.0rc* into the sub1.top-dom AD domain. 

[global]
        workgroup = SUB1
	realm = SUB1.TOP-DOM

...and I've done a successful "net join" and can connect correctly to the
Samba server from  "sub1.top-dom" and "nt-1" accounts. So that's the
server-side component working OK.

Also, if I do "wbinfo -m", it returns:

NT-1
NT-2
SUB2
TOP-DOM

Now I want to get client-side working (i.e. winbindd). I have it running,
and have edited /etc/nsswitch.conf to use it to do getent lookups. When I do:

getent passwd sub1.top-dom+jhaar
getent passwd sub1+jhaar
getent passwd nt-1+jhaar

it works correctly. However, when I do:

getent passwd sub2.top-dom+username
getent passwd sub2+username

It doesn't work. "winbindd -d9" reports

accepted socket 20
[12866]: request interface version
[12866]: request location of privileged pipe
accepted socket 22
read failed on sock 20, pid 12866: EOF
[12866]: getpwnam sub2+user
user 'user' does not exist
read failed on sock 22, pid 12866: EOF

One other thing. I don't know how usable winbindd is supposed to be yet, but
it's not in a usable state on our network. I find that winbindd works for
5-15 minutes (once it's loaded fully), but then hangs indefinitely.  i.e.
"wbinfo -p" works for 5-15 minutes, thereafter never returns. The initial
debugging upon starting winbindd shows it going off all over our WAN looking
up what I assume it thinks are domain controllers - but by eyeball I can say
those boxes aren't or aren't any more. Eventually (after 1-2 minutes) it
finds working domain controllers and then "wbinfo -p" starts working.
Perhaps we have some chronic Windows configuration issues on our network,
but they don't manifest themselves as far as Windows is concerned...

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the samba-technical mailing list